In the present day usage of the many versatile computer systems available today, there is often the unrecognized problem of providing a situation of integrity and security wherein, it is hoped, no external or unfriendly user will be able to penetrate and access the data and programs of an existing computer system.
The threat of a system's security being compromised by user-written programs must be taken cognizance of, especially in an environment where the hardware is supportive of, rather than primarily responsible for, the enforcement of security.
The existing program code in a given computer system plays a central role in the situation where there may be threats to a software-based security architecture. As a result there is a requirement for the idea of "program containment" which involves issues that include questions as to the nature and extent of trust that should be placed in the compilers as well as the types of controls that must be placed on both the compilers used and on the programs they create.
In the succeeding descriptions, the term "code file" will be used in a particular sense which refers to a file that contains compiler-generated, machine-executable code. These are the types of code files that are used in the Unisys A Series computer systems.
The "code file" may be described as a file produced by a compiler when a program is compiled successfully. This file will contain instructions in machine-executable object code.
The "compiler" may be expressed as a program authorized to translate a program source from high-level language into machine-executable object code.
In the Unisys A Series system, the operating system is primarily responsible for enforcing the A Series security policies with respect to users, files, programs, and processes. There are two versions of the operating system available which involve (i) the MCP (Master Control Program) and (ii) the MCP/AS (Master Control Program/Advanced System). The succeeding description will refer to the operating system in the generic sense so as to include either version. The A Series provides high-level protection mechanisms which incorporate the principles of Discretionary Access Control (DAC), Identification and Authentication, Audit, Object Reuse, and Least Privileged Operations which have been described in the Trusted Computer System Evaluation Criteria published as Department of Defense Standard DOD 5200.28-STD, December 1985.
Thus the integrity of a computer system is highly dependent upon the level of trust that can be placed in the integrity of the code executed by the computer. When ordinary programs are allowed to create or to modify code, the computer system executing that code is vulnerable to compromise because no trust can be placed in code generated by uncontrolled programs.
On traditional computer systems, code and data are very often not differentiated well. As a result, data can often be executed as code, and ordinary programs are able to create code that can compromise the integrity of the computer systems.
"A Series" Unisys computers operate to identify code words in memory by a special hardware tag value (designated tag 3) Ordinary programs are denied the ability to manipulate the hardware tags. The Master Control Program (MCP) forces the tag of 3 onto the code words when it reads a code segment from a permanent code file into the memory of the host computer.
Although the hardware tag enforcement prevents ordinary programs from creating or modifying code in memory, a mechanism is needed to prevent arbitrary creation of code files on an external storage medium, such as a disk or tape unit. The previously filed patent application, U.S. Ser. No. 196,709 entitled "Restricting Code Generation to Authorized Compilers", provides the mechanism needed to prevent arbitrary creation of code files on such external storage media.
However, any system that restricts code generation to "authorized compilers" is vulnerable to compromise if the ability to "authorize" a compiler is not very carefully controlled.
The present disclosure provides a mechanism for limiting compiler authorization to properly privileged personnel.